Crypto-heist threatens to tank blockchain-based future

This site may earn affiliate commissions from the links on this page. Terms of use.

The DAO stands for the “Distributed Autonomous Organization,” and while that could very well refer to anything from a blockchain car-share app to a hive of honey bees, this rather boring title stands for something truly remarkable: the first unmanned investment portfolio. It is a proof of concept for what many believe will be the future of finance, with software organizing and overseeing an investment strategy developed through semi-democratic input from the collected investors. It’s secured by the much-ballyhooed Ethereum platform, using a cryptocurrency called Ether as its trading currency, and at first everything seemed to be proceeding according to plan. It was a confirmation of the promise of the blockchain, and proof that the future really is near at hand!

Then, just days after that DAO’s public launch, a lone hacker managed to digitally make off with more than $50 million-worth of Ether, or roughly a third of the overall capital the DAO had raised. More than a setback, this was an existential problem: This was the one, specific thing that was supposed to be impossible under the supervision of the blockchain. Despite all the efforts detailed below, make no mistake: the DAO is dead. What’s important now is containing the damage, and stopping it from ruining trust in Ethereum as a whole.

The blockchain-based smart city might not be far away.

Reports indicate that this hack took the form of a recursion glitch, which allowed infinite repetition of the otherwise legitimate command to ‘split’ your Ether out of a shared account that’s gearing up for investments you don’t support, and into a different account. The recursion algorithm was used to apply this split over and over, without updating the balance after each withdrawal. This allowed the target accounts to be completely drained, in maximum increments of the thief’s own investment in DAO. At the time of the hack, the attacker got control of about 3.6 million Ether, out of about eight million overall.

As you might imagine, the response from both current and potential DAO investors has been strong. Ethereum is an almost absurdly ambitious idea, and at this early stage it’s buoyed almost entirely by public and investor interest; if public opinion begins to sour, and its early wins don’t lead to better, more ambitious projects to follow, Ethereum is still very capable of folding under its own weight.

While it was possible to undo this transaction, a large proportion of the DAO and blockchain community thought the cure could end up being worse than the disease. If all the participants in the DAO agree, they can collectively implement a “hard fork” in the software, in principle forcing a new reality into existence. This isn’t quite the same as hitting rewind, since the stolen funds don’t end up back in victims’ wallets directly, but are all deposited into a publicly accessible fund where investors can withdraw the amount they lost.

None of this saves the DAO. By de-legitimizing such a huge transfer of funds, the organization knowingly cut its own throat. Other DAO’s and DAO-like entities will spring up, but they will be second shots at a previously tried and failed mission: to prove that the blockchain is both useful and safe for our most sensitive jobs and information.

We should take a moment to go over just what actually had to occur to make this “fix” possible: the users hosting the blockchain software all had to download and run the new, “forked” version of the blockchain. By the time the change was ready to go, polling of investors had made clear their preference for reimbursement, but there was still always a chance of disaster. If some non-trivial portion of the hosts decided to keep running the old version of the blockchain, the result would be two nearly-identical versions of the software, destroying one of the blockchain’s core features: keeping everyone coordinated.

Graph of Ether remaining in the withdrawal account. Source: Ether.camp

One interesting facet of this reimbursement: a lot of people have yet to collect their funds, totaling millions of dollars of unclaimed money. Some of this could be investment by the DAO team itself, and almost certainly some of it belongs to clueless investors who remain blissfully unaware of all this, but some users have also expressed frustration with the length of the withdrawal process. Since the blockchain-based wallet containing these funds can and will outlive (has outlived) the DAO itself, an investor could withdraw their funds five or 10 years from now, and it ought to make little difference. Assuming that crypto-investment is here to stay, it will take economists a while to fully wrap their heads around just how the peculiarities of digital currency affect how it flows through society.

Tagged In

Unfortunately, the problem with any software solution, no matter how ingenious, is that it always has unforeseen loopholes and exploits. We can only code for possibilities we consider, exploits happen when someone considers a possibility we didn’t.

Charles Guillory

The flaw with theDAO is not with the blockchin as the first part of the article implies. TheDAO was additional code that managed accounts that lived on top of the block chain- by it self it cant rewrite history but a fork can. (It didnt change the past,only was duped on where to send the money in the future)